1 |
On Fri, Feb 10, 2012 at 12:29 PM, Pandu Poluan <pandu@××××××.info> wrote: |
2 |
> |
3 |
> On Feb 11, 2012 12:16 AM, "Michael Orlitzky" <michael@××××××××.com> wrote: |
4 |
>> |
5 |
>> On 02/10/12 11:46, Pandu Poluan wrote: |
6 |
>> > |
7 |
>> > On Feb 10, 2012 10:08 PM, "Mick" <michaelkintzios@×××××.com |
8 |
>> > <mailto:michaelkintzios@×××××.com>> wrote: |
9 |
>> >> |
10 |
>> >> > > |
11 |
>> >> > > The need: a VPN client that: |
12 |
>> >> > > + can selectively send packets fulfilling a criteria (in this |
13 |
>> > case, dest= |
14 |
>> >> > > IP address of internal server)* |
15 |
>> >> |
16 |
>> >> As far as I know typical VPNs require the IP address (or FQDN) of the |
17 |
>> >> VPN |
18 |
>> >> gateway. If yours changes because ISP A goes down then the tunnel |
19 |
>> > will fail |
20 |
>> >> and be torn down. |
21 |
>> |
22 |
>> I must have missed the original message. OpenVPN can do this. Just |
23 |
>> specify multiple "remote vpn.example.com" lines in your client configs, |
24 |
>> one for each VPN server. |
25 |
>> |
26 |
>> It also handles updating the routing table for you. Rather than match |
27 |
>> "IP address of internal server," it will match "IP address on internal |
28 |
>> network" and route through the VPN automatically. |
29 |
>> |
30 |
> |
31 |
> I'm still torn between OpenVPN and HAproxy. The former works with both TCP |
32 |
> and UDP, while the latter is lighter and simpler but works with TCP only*. |
33 |
> |
34 |
> *The traffic will be pure TCP, but who knows I might need a UDP tunnel in |
35 |
> the future. |
36 |
> |
37 |
> Any experience with either? |
38 |
> |
39 |
> Do note that I don't actually need a strong security (e.g. IPsec); I just |
40 |
> need automatic failover *and* fallback. |
41 |
|
42 |
We're not using multiple internet connections to the same network |
43 |
where I work, but we do use UDP-based OpenVPN to connect a few |
44 |
networks. |
45 |
|
46 |
TCP OpenVPN connections are very, very bad, IMO. With a TCP VPN, you |
47 |
easily break systems' TCP stacks' link bandwidth estimation. I once |
48 |
had a 30s ping time, because the pipe was hogged and backlogged from a |
49 |
mail client synchronizing. |
50 |
|
51 |
-- |
52 |
:wq |